touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #67246
[Bug 1409117] Re: GPG does not verify keys received when using --recv-keys leaving communicaiton with key servers vulnerable to MITM
This bug was fixed in the package gnupg - 1.4.16-1.2ubuntu1.2
---------------
gnupg (1.4.16-1.2ubuntu1.2) utopic-security; urgency=medium
* Screen responses from keyservers (LP: #1409117)
- d/p/0001-Screen-keyserver-responses.patch
- d/p/0002-Make-screening-of-keyserver-result-work-with-multi-k.patch
- d/p/0003-Add-kbnode_t-for-easier-backporting.patch
- d/p/0004-gpg-Fix-regression-due-to-the-keyserver-import-filte.patch
* Fix large key size regression from CVE-2014-5270 changes (LP: #1371766)
- d/p/Add-build-and-runtime-support-for-larger-RSA-key.patch
- debian/rules: build with --enable-large-secmem
* SECURITY UPDATE: sidechannel attack on Elgamal
- debian/patches/CVE-2014-3591.patch: use ciphertext blinding in
cipher/elgamal.c.
- CVE-2014-3591
* SECURITY UPDATE: sidechannel attack via timing variations in mpi_powm
- debian/patches/CVE-2015-0837.patch: avoid timing variations in
include/mpi.h, mpi/mpi-pow.c, mpi/mpiutil.c.
- CVE-2015-0837
* SECURITY UPDATE: invalid memory read via invalid keyring
- debian/patches/CVE-2015-1606.patch: skip all packets not allowed in
a keyring in g10/keyring.c.
- CVE-2015-1606
* SECURITY UPDATE: memcpy with overlapping ranges
- debian/patches/CVE-2015-1607.patch: use inline functions to convert
buffer data to scalars in g10/apdu.c, g10/app-openpgp.c,
g10/build-packet.c, g10/ccid-driver.c, g10/getkey.c, g10/keygen.c,
g10/keyid.c, g10/misc.c, g10/parse-packet.c, g10/tdbio.c,
g10/trustdb.c, include/host2net.h.
- CVE-2015-1607
-- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx> Fri, 27 Mar 2015 08:21:50 -0400
** Changed in: gnupg (Ubuntu Utopic)
Status: Confirmed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3591
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-5270
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-0837
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1606
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-1607
** Changed in: gnupg (Ubuntu Trusty)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnupg in Ubuntu.
https://bugs.launchpad.net/bugs/1409117
Title:
GPG does not verify keys received when using --recv-keys leaving
communicaiton with key servers vulnerable to MITM
Status in GNU Privacy Guard:
Fix Released
Status in gnupg package in Ubuntu:
Fix Released
Status in gnupg2 package in Ubuntu:
Fix Released
Status in gnupg source package in Lucid:
Confirmed
Status in gnupg2 source package in Lucid:
Confirmed
Status in gnupg source package in Precise:
Fix Released
Status in gnupg2 source package in Precise:
Fix Released
Status in gnupg source package in Trusty:
Fix Released
Status in gnupg2 source package in Trusty:
Fix Released
Status in gnupg source package in Utopic:
Fix Released
Status in gnupg2 source package in Utopic:
Fix Released
Status in gnupg source package in Vivid:
Fix Released
Status in gnupg2 source package in Vivid:
Fix Released
Status in gnupg package in Debian:
Fix Released
Bug description:
The patch from http://bugs.gnupg.org/gnupg/issue1579 is critical and
should be backported to 12.04; right now, it is not.
This leaves 12.04 users of GPG2 vulnerable to MITM attacks on gpg2
--recv-keys. See https://evil32.com/ for an example (the text that is
striked out; the gpg2 package on 12.04 is still vulnerable).
To manage notifications about this bug go to:
https://bugs.launchpad.net/gnupg/+bug/1409117/+subscriptions
